Last week, we wrote that Adobe was “calling time” on Flash, according to a blog post from Adobe Corporate Communications with the rather unexciting title of Flash and the Future of Interactive Content.

Sophos Home

In fact, Adobe has said simply that it “will stop updating and distributing the Flash Player at the end of 2020.”

In other words, even those of us who have been trying for years to wean the world off Flash still don’t have much to celebrate.

In more than three years’ time, people will still be using Flash, and Adobe will still be stuck in the ongoing process of “encourag[ing] content creators to migrate any existing Flash content to [the] new open formats [like HTML5, WebGL and WebAssembly].”

With all this in mind, why would anyone want to keep Flash going even longer?

Long live Flash!

Finnish software developer Juha Lindstedt thinks he has an answer, and a petition to go with it:

Flash along with its sister project Shockwave is an important piece of internet history and killing Flash and Shockwave means future generations can’t access the past. Games, experiments and websites would be forgotten.

So he’s asking Adobe to release Flash as open source, just in case.

Open sourcing Flash and the Shockwave spec would be a good solution to keep Flash and Shockwave projects alive safely for archive reasons. Don’t know how, but that’s the beauty of open source: you never know what will come up after you go open source!

We’ve not convinced.

After all, we already live in a world from which many other important pieces of internet history have as good as vanished, apparently without causing us to lose our grip on either the past or the future.

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

29 comments on “Should Adobe make Flash open source? [POLL]”

I’m a little mixed on this one. On one hand, I’d LOVE to get rid of Flash once and for all on ongoing and new websites. On the other, I hate to see history vanish… and there is a LOT of history wrapped up in Flash applets. Many of them aren’t simple animations that can just be converted to video for hosting somewhere like Youtube.

What I think I’d like to see is it go open source, but “official” development/maintenance be mainly aimed at a standalone player version… you know, like the one Adobe used(?) to offer as part of the dev kit. Sure, people could technically go ahead and continue updating plugin versions, but that should be discouraged.

I’d certainly be good with that, as long as it’s compatible enough to run most flash applications. I’d still want something that could be stored locally without jumping through too many hoops, though – it’s the archivalist in me.

That said, I’d still like to see websites completely shift off using it for their main system or anything important. If you make a shim too easy to just drop in, it tends to encourage not actually updating or redesigning the codebase… I’ve heard a few stories about some old mainframe applications running inside two or more layers of system emulation as they had to move off old hardware but refused to rewrite the application itself. I can’t verify that personally, but it does sound like something that would happen.

When I want to play a classic dos game or purchase one that hasn’t been updated in a decade, GOG does a decent job wrapping them in a DOSBox emulator. Flash can survive the same way – in an emulation sandbox – never to be a vector for threats again.

Don’t open source it… take it out back and put it down like the rabid beast it has become.

I am mixed about this too. Flash needs to die a quick death, and it needs to be done in a way that discourages zombies as much as possible. But there is a lot of great old flash content that would be wonderful to preserve. If push came to shove I would say no to preserving flash, but if it could be done in such a way that it could not be available for continued use then I would not have a problem with it.

Not so that it can be maintained in perpetuity, but so that truly better, more secure software projects, such as lightspark and pepper, can make use of the now-open API and create secure interfaces that can run flash objects without all the security problems.

I honestly don’t think the OSS community will improve its security… the code is inherently insecure. So many hooks into the browsers and vectors for attack… there maybe someone out there willing to take on this – but I suspect it would be much more useful in the hands of nefarious ne’er do wells that want to utilize the code to find more hacks.

How many websites were built by contracted Flash devs who haven’t the time or inclination to contact all their former clients, each ignorant of their problem and unaware that their site will gradually see less traffic?

There will always be stragglers who choose to remain on old technology (WinXP, anyone?). Whether it’s ignorance, apathy, laziness, or a lack of funding/planning/resources the ‘net will still have Flash on F-Day.

With major browsers and outlets already tapering its use, smaller entities may be unable to follow so quickly. I’ll feel more at ease with the belly of this beast exposed for inspection. While the “many eyes make all bugs shallow” philosophy is imperfect,

Adobe FLASH has a long history of security issues. Without a significant effort to rip out the areas that have caused FLASH to have such a poor security profile, releasing FLASH as OSS would be bad.

Adobe has had the opportunity to really fix FLASH. They, however, have chosen not to remove problematic APIs or capabilities. An OSS release of FLASH would probably not solve any of these issues either.

If they are keeping the code to archive it, then whatever.
If they are giving it to us to archive, Im fine with that too since we’d finally be able to find a way for flash to work without having to update it every 12 minutes and 21 seconds.

Internet browsers are already increasingly reducing support for Flash (and plugins in general in some cases). If archived versions of Flash Player exist to install on legacy browsers to view old websites, that should be enough for “Internet History”, but don’t expect future browsers to support old code in any form just to view “historical” websites made a decade ago.

I’d make it open source, but not necessarily so it can live longer. Simply because of the fact that Flash won’t just die in 2020, and people won’t just stop using it only because it’s no longer supported. So I think I’d prefer it doesn’t get less secure than it is by not getting any fixes.

Should it be killed and not open sourced, I have little doubt that someone will eventually release an emulator for it. I feel sorry though for some companies whose major source of income is the ever popular flash games that so many people play. Poof! Those companies will be crushed. And OddTodd who, after losing his job, created his website and livelihood from his mostly flash web site… Poof! His replacement income source destroyed. I’m sure there are many, many others.

I ditched Flash several years ago, and haven’t missed it at all. Except, perhaps, the inability to view an amazing scale of the universe animation, which was very hypnotic and mind-blowing. But Flash itself? Kill it with an update that wipes Flash from a computer on a specific date, thus giving users time to prepare for its demise.

Except when word gets out that the “final update” will remove Flash, panicked stragglers will turn to the reverse engineers to block it. That would only work if it was an unannounced wipe.

And despite Adobe announcing “Flash will no longer receive updates after next week,” if they were to instead execute a global uninstall they’d be applauded by us security nerds, but the masses would see it as a sneak attack and feel betrayed. And those masses are the ones paying for Photoshop, so it won’t happen.

I voted that it should be made open source for reasons of preserving history, but I don’t think it will result in a more secure version.

The flash codebase is almost certainly a crufty mess that contains all sorts of bad assumptions and design decisions that makes good security very hard, so as a result fixing security bugs is a tedious exercise in papering over yet more cracks. (If the code base was well designed from a security standpoint, then security bugs would be rare and would get fixed quickly, and we know that is not the case).

Open source developers choose what projects they contribute to, and they mostly choose things that are cutting edge, exciting, or necessary for their professional day jobs. Flash is none of these, so I don’t think it will get much love from volunteer devs.

Apart from playing old flash games, The only use I can see for an open source flash player is as a reference implementation to help guide and debug a full ground up re-write.